Last week, I got my copy of All Yesterdays (not the used Amazon versions, as the pricing algorithm is failing hilariously). I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.

You might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.

So why am I posting this review on a blog that is (more or less) focused on information security?

Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, everyone has had to constantly adjust to the shifting truth.

In effect, it is a book about evolution … the evolution of species … the evolution of understanding … and the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.

Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are more hackers than professionals who draw dinosaurs, so we do get an advantage of numbers. Still, there is ample room for improvement.

This book explores the problems that arise from:

• Taking a superficial view of evidence
• Not comparing logical conclusions to examples of modern data
• Avoiding analysis and basing beliefs on the misguided work of others
• Looking strictly at hard evidence and ignoring behavior
• Hyper-focusing on dramatic scenarios

Sound familiar?

It’s that time again.

Whenever a major media event happens (like Hurricane Sandy), we are inundated with news. Sometimes that news is useful, but often it merely exists to create FUD… Fear, Uncertainty and Doubt. While I have not personally seen any malware campaigns capitalizing on the event yet, it is inevitable. The pattern is generally as follows:

1. Event hits the news as media outlets try to one-up eachother to get the word out.
2. People spread the warnings, making them just a little bit worse each time they are copied.
3. Other people create hoaxes to ride the wave of popularity.
4. Still other people create custom hoaxes to exploit the disaster financially.

A few minutes ago, at least in my little corner of the internet, we hit stage 3 when this image was posted:

( From here. )

Now, as someone who plays with photography, I was a bit suspicious, but as a security person, I can actually prove some things here.

The first tool I want to discuss is FotoForensics. Check out their analysis.

See how the statue of liberty and land on which she stands is much brighter than the background? That indicates that that image has been pasted on top of the other, so we know it’s fake.

Sometimes, though, this trick doesn’t work. If someone is making a good hoax, they can change the error levels to prevent easy detection. That’s where our next tool comes in. TinEye is awesome.

Look what happens when I do a reverse image search on the suspicious file here. (TinEye results expire after 72 hours, so if you’re slow to read this, just past the URL of the photo into their search box.)

TinEye, by default, is going to try to find the best match. But that’s not what we want. We want the original. Luckily, when people make hoaxes, they usually shrink the image to make it harder to find the signatures of a hoax. So we just click to sort by size and there we have what it likely the original:

ETA: Original can be found in this set by Mike Hollingshead.

Then it lists a bunch of sites that have stolen this image to use without credit. (That’s a different post.) You can then click on the “Compare” link for the likely original and see what they did. By flipping between the versions, you can see that they added the Statue of Liberty, the water and the boat. They also shrunk the image and made it darker… because darker is scarier, apparently.

The important thing to realize here is that the attacker is trying to manipulate you. By spreading fear, they are making you more susceptible to future attacks. By taking advantage of your uncertainty and doubt, they put you in a position where you will do unwise things to gain an element of certainty in your life. Does this matter that much in an image hoax? Probably not. But it does matter when you start getting fraudulent emails convincing you to “click here” to help victims of the hurricane.

Uncertainty and doubt can work against you, but it can also work for you. When the attacks come … likely in a few hours, approach them with suspicion. If you’re in the path of the storm, trust the names you recognize, like Google and The National Weather Service. If you’re not in the path of the storm and want to send aid, go with The Red Cross. If anyone else you don’t know asks for your money or your clicks, ask yourself what they have to gain.

We’re all familiar with old school consultants. These are people hired at $20/hr and rented out for $150/hr. It’s good business, if you can get it. All too often, however, the work is neither enjoyable for the consultant nor useful to the client. After years of trying and failing to make the old model work, I decided it was time to throw it out and start over. Thankfully, RJS agreed. As of today, we are one year into the process of reinventing security consulting.

The fundamental difference is that we’ve fully embraced the fact that the idea of 100% security is a trap. You can never be completely secure, so why base a security project around the idea that you can be? Instead, we focus on achieving a measurable improvement over “today.” Different businesses have vastly different security needs, so once you shift the goal away from “find and fix all the problems” to “strike a balance between defense and response,” myriad solutions become available.

Having a large number of solutions is great, as we can select the one that fits your company’s unique situation the best. But remember, it’s not perfect and will need constant attention to avoid “analysis paralysis” and to stay current with new security trends. To combat this, we look at the second key difference: time-bound tasks, or as we call them, security sprints.

With anything you do, there is one resource that completely vanishes — time. Other consulting approaches focus on minimizing either money or an amorphous concept of risk. The catch with those is to clearly pre-identify “risk reduced” or “money saved,” time is required. Since time is billed, it can cost a significant amount of money to identify how much money you’re saving!

Want to know how much more secure a project will make you? Pick a small project that can be done in a week or two, do the project, then measure. There’s no guess-work, no scope-creep and most importantly, no spending more money than required to improve your defenses.

This process affords another advantage we did not anticipate. In many cases, security fails because the people put it in place to manage it are often not those responsible for maintaining it. Since security tends to weaken over time as attackers constantly improve, it is imperative that people explore alerts, identify what they mean to the business and take appropriate action. When the people who must manage the systems are not involved with the initial configuration, they tend to lose a lot of time tracking false alerts or worse, missing legitimate issues.

Since our consulting process is time-bound and focused on helping improve security after we leave, we work on a lot of small projects. These projects are designed so that, when done, they can be absorbed into the business’s existing operations. We then come back for iterative tuning engagements and, over time, help maximize the business’s use of technology. This avoids the common problem of security being “someone else’s” issue, while minimizing the disruption that new technologies can cause.

In the end, after a year’s experimentation, we’ve found that a cyclical short-project consulting model has given our clients a level of security far greater than the traditional defense-only approach. While this didn’t surprise us (after all, that’s why we did it), we were surprised to find that these engagements generally came in 25% to 50% lower in cost than the traditional model. We’ve done security assessments, implementations and strategy planning sessions and, in every case, have achieved better security at a lower cost.

Please contact us if you’d like to learn more about our sprint model and how it can help you achieve a better state of security at a fraction of the price.

What would you do if you discovered that attackers had taken over your server and were in the process of stealing all your data?

What would you do if law enforcement came to your place of work and demanded all of your computers as part of an investigation?

What would you do if a tornado hit your building and spread all of your computers across a mile-wide radius?

If you are like most organizations, you don’t have a plan for everything. You can think of security (in an over-simplified way) of having three areas of control: Detective, Preventative and Reactive. We tend to start with Detective. When antivirus was new, it just alerted you when you had a problem. As the technology improved, it became preventative and would stop bad applications from running. Most security technology, in fact, has followed this pattern. Intrusion Detection moved to Intrusion Prevention. Patch Detection moved to Patch Management. Log Analysis moved to full-fledged SEIM systems.

However, this progression ignores a very powerful tool. As an example, here’s a video:

What would you do if you woke up one morning to find a moose in your swingset? Odds are you’d either deal with it yourself or call someone to deal with it for you. Response is key. When things happen, whether it involves an attacker taking over a system, an external agency taking your stuff or a natural disaster, reacting to the situation is important. You can either do it in an ad hoc way, or try to plan everything out.

In general, organizations that trust their people, just let their people do what they need to do. Organizations that do not trust their people, invest in planning and procedures. What’s interesting is that both methods work… though not always particularly well. Sometimes people hide behind policy and avoid doing the right thing. Sometimes, people hide behind uncertainty and avoid doing the right thing.

The problem here is that “right” and “wrong” are not always clear cut. Consider recent occurrences involving United Airlines, Penn State and FedEx. A reasonable response to events like these would be “we can’t trust our people,” and to address the issue by creating policies.

But, for an even more horrifying view of the world, check out this Google News search on “followed policy.” A wider search on this shows that people who follow policy result in death, brain death and murder suspects being released.

So it would seem that this is a “damned if you do, damned if you don’t” situation, right?

It turns out to err is human… but human error can happen whether or not we are constrained by policy. Using policy to prevent bad things from happening requires not only that you have people who will always follow the policy, but also that you have policies that are 100% correct and written by people who can see the future. Perhaps a better approach would be to use policies as guides that people can refer to when they’re confused. Then, build a culture around the fact it’s okay to make mistakes so long as you’re willing to apologize, attempt to fix things and learn from your error.

Not everything can be avoided. Sometimes you just have to deal.

More on the moose is here.

If there’s one myth in the footwear industry that just won’t die, it’s that everyone should have a pair of shoes. You can see the reasoning behind it, of course. We’ve all heard about the kid that ran around barefoot, stepped on a nail and had to get incredibly painful tetanus shots.

But do accidents like this prove that shoes are a must or is just the opposite? If people everywhere can get foot injuries with or without shoes, doesn’t that suggest that shoes really aren’t all that important?

One of the best examples ever of the limitations of shoes is Abebe Bikila, who won the 1960 Summer Olympics marathon without any shoes at all.

Fundamentally, what society is saying when demanding that people wear shoes is “it’s not our fault” if people take risks – like not wearing shoes – and get injured. But this is false. An individual has no control over where they put their feet and they don’t have the ability to recognize hazards like broken glass, nails or poisonous vipers. After all, is the average person really a match for a vicious snake? Blaming poisonings on a lack of shoes is misguided – particularly given the stabby nature of snake fangs.

I’ll admit, it’s hard to find statistical evidence that supports this point of view. Not surprisingly, shoe manufacturers don’t share data on how protective their products truly are …

That’s probably enough of that nonsense.

In case you didn’t know, this post is in response to Dave Aitel’s recent article at CSO. While I am hardly one to defend the status quo, there are two logical fallacies at play here. The first is binary thinking … effectively saying “if a defense isn’t 100% effective, it’s not worth doing.” The second is the flaw of hand-picking anecdotes to support your premise.

This is regrettable because the bulleted advice on page two of Aitel’s article is good, if somewhat standard. It’s just that instead of following this advice rather than “wasting time on employee training,” it should be done in addition to employee training.

To drastically over-simplify, security involves identifying what you need to protect and then protecting it. In a global security market (which we’ve matured into), you have a second rule … identify what you want and attack until you get it. These two rules play against one another, with both the attackers and defenders constantly increasing their capabilities until a defender somewhere gets compromised or an attacker gets sloppy, caught and removed from the game.

Then, you repeat the cycle ad infinitum.

In a world that operates this way, the weakest entity is going to be the first out, on either side. And, since security is multidimensional, it will be the first entity with weak enough security along any dimension … technology, process or people. By removing your focus entirely from awareness training to focus on technology and process, you defend only part of your organization. By focusing strictly on network-based defenses, you open a massive hole for non-network attacks.

As soon as it becomes easiest for an attacker to bribe an internal employee to sell them data, they will. As soon as it becomes easiest for them to bluff their way through a job interview to steal data, they will. As soon as it becomes easiest to put on a uniform to steal equipment, they will.

The attacker’s game is “whatever works,” and if we only focus on what is easiest for us to do, we open up doors for attacks.

So … stop spending money on awareness if you want … but only do so if you have taken a good view of your entire organization and have identified areas where those resources are better spent. Be aware, though, that just as we lack solid statistics on how bad awareness is as a defensive layer, we also lack solid statistics on how good it is. For every story I can tell on how I’ve found a person not doing what they should in an organization, I have one that talks about how good they are.

If you need contrarian advice, avoid those that are expressed as binaries. Consider the following:

• Does password rotation cause more trouble than it’s worth? If users are selecting bad passwords because they have to change them often, maybe it’s time to stop doing that.

• If you have security alerts that are being ignored by your people, your systems probably aren’t being maintained properly. As soon as you stop maintaining your systems, they shift from being assets to liabilities. Thinking about fixing them … or getting rid of them.

• Are your people overly constrained? If you have customer service employees following scripts, you’ve basically turned them into technology. Turns out that we have technology in the first place because people are bad at that sort of thing. Ponder that.

• Is a data breach all that bad? In some industries, sure … but if it were universal, it seems as though there’d be a lot more companies going out of business. Think about what a breach would really mean and how you’d handle it. Odds are, you’re far weaker in response capabilities than you are on defense. Instead of shifting defense dollars from people to technology, maybe you need to invest somewhere else entirely.

Basically, the core lesson here is “think before you spend.” Don’t blindly follow the advice of anyone (including me). Assess your environment, consider your goals and the events that could prevent you from achieving them. Then, and only then, look at how you choose to use your resources.